Shell script containing passwords.
Eric F Crist
ecrist at adtechintegrated.com
Tue Feb 10 09:05:17 PST 2004
On Tuesday 10 February 2004 09:28 am, Lewis Thompson wrote:
> On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote:
> > Lewis Thompson <purple at lewiz.net> writes:
> > > I am worried that because the script must be read/writeable by the
> > > Apache user (www) that anybody that can write a PHP script on my
> > > machine can read the auth script and read the passwords that would be
> > > contained within -- those to my MySQL server.
> > Why would the script be readable or writeable by any user?
> > It only needs to be executable, right?
> Well, since it's an interpreted script (it's some standalone PHP) in
> order to execute it, the user must be able to read it. Since the script
> holds passwds that means that any user with the ability to run it can
> get the passwds (in my case to access my MySQL server).
> This is a ``flaw'' with the way Apache works because everything Apache
> executes must be +rw for the Apache user (www). As a result any person
> able to write PHP code (all of my users) can read anything that the
> Apache user can, because mod_php executes as the Apache user.
> There are security features in PHP (safe_mode) but these conflict with
> a large number of PHP scripts. I'm trying to work it out this way now
> but it's a lot of hassle.
> Thanks for your response,
Check the syntax for the .htaccess files in the httpd.conf file. This is a
file that must be non-readable by regular users via php, but apache has a
filter written within the httpd.conf file to disallow access. I know it's
about 3/4 of the way down the page.
Eric F Crist
AdTech Integrated Systems, Inc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 187 bytes
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040210/5f7346fe/attachment.bin
More information about the freebsd-questions